﻿using System;
using System.Collections.Generic;
using System.Linq;
using System.Web;
using System.Data;
using System.Data.SqlClient;

namespace ESAM_Assignment_3
{
    public class UserClass
    {
        #region Attributes
        private int userID;
        private string username;
        private string password;
        #endregion

        #region Properties | GET and SET methods
        public int UserID
        {
            get { return userID; }
            set { userID = value; }
        }
        public string Username
        {
            get { return username; }
            set { username = value; }
        }
        public string Password
        {
            get { return password; }
            set { password = value; }
        }
        #endregion

        #region Constructor
        public UserClass()
        {
        }
        #endregion

        private static string connectionString = "data source=.\\SQLEXPRESS; initial catalog=" + Common.Database_Name + "; integrated security=true";

        /// <summary>
        /// Method to authenticate a user base on username and password provided by the user. 
        /// Returns TRUE if the user is successfully authenticated. FALSE if no matching record is found.
        /// </summary>
        /// <param name="username"></param>
        /// <param name="password"></param>
        /// <returns></returns>
        //public static bool UnsecuredLogin(string username, string password)
        //{
        //    bool result = false;
        //    String strQuery = "";
        //    SqlConnection myConn = new SqlConnection();
        //    SqlCommand myCmd;

        //    try
        //    {
        //        myConn.ConnectionString = connectionString;
        //        myConn.Open();

        //        strQuery += "SELECT COUNT(*) FROM Users WHERE Username='" + username + "' AND Password='" + password + "'";
        //        myCmd = new SqlCommand(strQuery, myConn);
        //        int count = (int)myCmd.ExecuteScalar();

        //        //There should ONLY be ONE record returned since username is unique.
        //        if (count > 0)
        //        {
        //            result = true;
        //        }
        //    }
        //    catch (Exception ex)
        //    {
        //        throw new Exception(ex.Message);
        //    }
        //    finally
        //    {
        //        myConn.Close();
        //    }

        //    return result;
        //}

        //Secured method
        public static bool SecuredLogin(string username, string password) 
        {
            bool result = false;
            String strQuery = "";
            SqlConnection myConn = new SqlConnection();
            SqlCommand myCmd;
            password = Encryption.shaEncrypt(password);
            try
            {
                myConn.ConnectionString = connectionString;
                myConn.Open();

                //eric
                strQuery += "SELECT COUNT(*) FROM Users WHERE Username=@username AND Password=@password";
                myCmd = new SqlCommand(strQuery, myConn);

                //eric
                myCmd.Parameters.AddWithValue("@username", username);
                myCmd.Parameters.AddWithValue("@password", password);

                int count = (int)myCmd.ExecuteScalar();

                //There should ONLY be ONE record returned since username is unique.
                if (count > 0)
                {
                    result = true;
                }
            }
            catch (Exception ex)
            {
                throw new Exception(ex.Message);
            }
            finally
            {
                myConn.Close();
            }

            return result;
        }

        /// <summary>
        /// Method to change the user's password. Current password will be verified first before updating to new password.
        /// </summary>
        /// <param name="userID"></param>
        /// <param name="CurrentPassword"></param>
        /// <param name="NewPassword"></param>
        /// <returns></returns>
        public static bool ChangePassword(string username, string CurrentPassword, string NewPassword)
        {
            bool result = false;
            String strQuery = "";
            SqlConnection myConn = new SqlConnection();
            SqlCommand myCmd;

            try
            {
                myConn.ConnectionString = connectionString;
                myConn.Open();
                CurrentPassword = Encryption.shaEncrypt(CurrentPassword);

                //eric
                strQuery = "SELECT COUNT(*) FROM Users WHERE Username= @username AND password= @CurrentPassword";

                myCmd = new SqlCommand(strQuery, myConn);

                //eric 
                myCmd.Parameters.AddWithValue("@username", username);
                myCmd.Parameters.AddWithValue("@CurrentPassword", CurrentPassword);

                int count = (int)myCmd.ExecuteScalar();

                //There should ONLY be ONE record returned since UserID is unique.
                if (count > 0)
                {
                    NewPassword = Encryption.shaEncrypt(NewPassword);

                    //eric
                    strQuery = "UPDATE Users SET Password=@NewPassword WHERE Username=@username";

                    myCmd = new SqlCommand(strQuery, myConn);
                    
                    //eric
                    myCmd.Parameters.AddWithValue("@NewPassword", NewPassword);
                    myCmd.Parameters.AddWithValue("@username", username);
                    
                    int row = myCmd.ExecuteNonQuery();

                    if (row == 1)
                    {
                        //There should ONLY be ONE record modified since UserID is unique.
                        result = true;
                    }
                }
            }
            catch (Exception ex)
            {
                throw new Exception(ex.Message);
            }
            finally
            {
                myConn.Close();
            }

            return result;
        }

        /// <summary>
        /// Method to retrieve the user's Fullname after the user has been authenticated.
        /// </summary>
        /// <param name="username"></param>
        /// <returns></returns>
        public static string GetFullname(string username)
        {
            String strQuery = "";
            SqlConnection myConn = new SqlConnection();
            SqlCommand myCmd;

            string result = "";

            try
            {
                myConn.ConnectionString = connectionString;
                myConn.Open();

                //eric
                strQuery += "SELECT Fullname FROM Users WHERE Username=@usernameString";

                myCmd = new SqlCommand(strQuery, myConn);

                //eric
                myCmd.Parameters.AddWithValue("@usernameString", username.ToString());

                SqlDataReader dr = myCmd.ExecuteReader();
                while (dr.Read())
                {
                    result = dr.GetString(0);
                }
            }
            catch (Exception ex)
            {
                throw new Exception(ex.Message);
            }
            finally
            {
                myConn.Close();
            }

            return result;
        }

        /// <summary>
        /// Method to retrieve the user's unique UserID after the user has been authenticated.
        /// </summary>
        /// <param name="username"></param>
        /// <returns></returns>
        public static string GetUserID222(string username)
        {
            String strQuery = "";
            SqlConnection myConn = new SqlConnection();
            SqlCommand myCmd;

            string result = "";

            try
            {
                myConn.ConnectionString = connectionString;
                myConn.Open();

                //eric
                strQuery += "SELECT UserID FROM Users WHERE Username=@usernameString";

                myCmd = new SqlCommand(strQuery, myConn);
                
                //eric
                myCmd.Parameters.AddWithValue("@usernameString", username.ToString());
                
                SqlDataReader dr = myCmd.ExecuteReader();
                while (dr.Read())
                {
                    result = dr.GetInt32(0).ToString();
                }
            }
            catch (Exception ex)
            {
                throw new Exception(ex.Message);
            }
            finally
            {
                myConn.Close();
            }

            return result;
        }
    }
}